Jim Killock of the Open Rights Group (ORG) civil liberties organisation has warned The Canary that surveillance and analytics firm Palantir is “not a company you want handling sensitive personal data”. He says that Palantir is already “crossing a red line” by analysing NHS data as part of efforts to combat the coronavirus (Covid-19) pandemic.
Palantir is not permitted to use NHS data unless…
The British government has said in a statement that:
Palantir is a data processor, not a data controller, and cannot pass on or use the data for any wider purpose without the permission of NHS England
Palantir itself responded (sort of) to a list of 10 questions sent to it by Privacy International, Big Brother Watch, Foxglove, medConfidential, and ORG on 6 May 2020. In its response, the company said that “the NHS retains full ownership of NHS data and any analysis derived from this data”. It adds that “any access to customer data under any circumstances would be strictly at the direction of customers”. In this case, that would be the NHS.
A reply from NHSX (an NHS division specialising in digital innovation) confirmed that NHS England, NHS Digital, and NHSX will retain all intellectual property of the data.
But it’s unclear who within the NHS would need to provide permission to Palantir to access patient or other data; to what extent any such permission would become properly reported to the public, or even if the “permission” required is even technologically necessary for Palantir to gain access to or pass on NHS data.
Killock says that the “NHS should assume the temptation may exist” for Palantir to use its access to the NHS, now or in the future, in order to facilitate spying or blackmail of individuals and should “plan to make it impossible”.
Palantir’s long and sordid history
Killock also confirmed that Palantir’s history of targeting labour unions, journalists, and political organisations, as well as its links to the CIA, has strongly influenced ORG’s position on the company’s involvement with the NHS.
In 2013, Investigative journalist Lee Fang explained that:
Palantir’s rise to prominence, now reportedly valued at $8 billion, came from initial investment from In-Q-Tel, the venture capital arm of the CIA, and close consultation with officials from the intelligence-gathering community, including disgraced retired admiral John Poindexter and Bryan Cunningham, a former adviser to Condoleezza Rice.
In 2010, Palantir, along with firms HBGary Federal and Berico, were solicited by the US Chamber of Commerce to target its critics. The group began “plotting a campaign of snooping on activists’ families and even using sophisticated hacking tools to break into computers”.
As Fang notes:
The tactics described in the proposals are illegal. However, there were no discussions in the leaked e-mails about the legality of using such tactics. Rather, the Chamber’s attorneys and the three contractors quibbled for weeks about how much to charge the Chamber for these hacking services. At one point, they demanded $2 million a month.
The risk of “vendor lock in” is very real
Killock says ORG’s current concerns include the “potential for vendor lock in – leading to simple profiteering”. This is “extremely easy to take place when people are rushing and failing to do due diligence on contracts”, as is currently happening during the coronavirus pandemic.
Palantir may become impossible to remove [from public service contracts], and increasingly [become] involved with personal data. They have already been granted access to ‘anonymised’ personal data – this is usually data than can be relinked to people in practice, so already promises that they wouldn’t handle personal data have been broken
NHSX responds to concerns
The Canary contacted NHSX and asked about the nature of its relationship with Palantir and the appropriateness of such a company – which has been implicated in human rights abuses – handling NHS data.
To help us confront the unprecedented challenge from Coronavirus, ministers and health leaders need access to real-time information about health services, showing where demand is rising and where critical equipment needs to be deployed.
Strict data protection rules apply to everyone involved in helping in this critical task. The companies involved do not control the data and are not permitted to use or share it for their own purposes.
At the end of the Coronavirus public health emergency their work will either be deleted or returned to the NHS.
‘Surveillance firms have no place in handling sensitive data’
when personal data is handled, [Palantir] should be excluded while they have a surveillance business, in much the same way as companies like Lockheed Martin which sell surveillance tech as well as business tech must be treated with caution.
“Even if the companies could be trusted,” Killock said, “there is a huge issue of public perception.”
Palantir failed to respond to repeated requests for comment.
Feature image via EFF/Wikimedia Commons
